Hackdroid is an Android-based ethical hacking and security testing toolkit designed for security professionals and non-coders alike. The app provides a simple button-based interface that automates command execution in the background, making security tools accessible without requiring command-line knowledge.
IMPORTANT: All 60+ security tools perform REAL network operations with actual API integrations, socket connections, and genuine scan results. No simulations or mockups.
- Button-based navigation - Just tap cards to access tool categories
- Function key shortcuts - Press F1-F12 to instantly launch tools
- Input dialogs with helpful hints and labels
- Automated execution - Tools run in background with progress indicators
- Detailed results - Findings displayed with severity levels and remediation suggestions
- OkHttp 4.12.0 for HTTP/HTTPS connections
- Java Socket for raw TCP port scanning and banner grabbing
- InetAddress for DNS resolution
- SSLContext for TLS/SSL certificate analysis
- Kotlinx Coroutines for async non-blocking operations
- Google DNS-over-HTTPS (dns.google) - DNS record enumeration
- ip-api.com - IP geolocation with proxy/VPN detection
- HackerTarget API - WHOIS lookups and subdomain discovery
- crt.sh Certificate Transparency - SSL certificate log search
- Wayback Machine (web.archive.org) - Historical URL discovery
| Tool | Key | Description | Real Operation |
|---|---|---|---|
| Port Scanner | F1 | Scan ports with service detection and banner grabbing | TCP socket connections to each port |
| SSL/TLS Analyzer | F2 | Certificate validation, cipher analysis, protocol detection | SSL handshake, certificate parsing |
| Security Headers | F3 | Analyze headers with security scoring | HTTP HEAD/GET, header parsing |
| Common Vulns | F4 | Exposed files, admin panels, misconfigurations | HTTP requests to 60+ paths |
| Tech Fingerprint | F5 | Detect CMS, frameworks, servers | Response analysis, cookie inspection |
| WAF Detector | F6 | Identify Web Application Firewalls | Header analysis, payload testing |
| Rate Limit Test | F7 | Test DoS protection | Multiple rapid HTTP requests |
| security.txt | F8 | Security contact disclosure check | HTTP to .well-known/security.txt |
| Tool | Key | Description | Real Operation |
|---|---|---|---|
| DNS Enumeration | F1 | A, AAAA, MX, NS, TXT, SOA, SRV, DMARC records | Google DNS-over-HTTPS API |
| Subdomain Finder | F2 | CT logs + DNS brute force + API | crt.sh + HackerTarget + DNS |
| WHOIS Lookup | F3 | Domain registration info | HackerTarget WHOIS API |
| IP Geolocation | F4 | Location, ISP, proxy/VPN detection | ip-api.com JSON API |
| Email Analysis | F5 | MX, SPF, DMARC configuration | DNS MX/TXT queries |
| Social Media OSINT | F6 | Check 20+ platforms for username | HTTP HEAD requests |
| Wayback Machine | F7 | Historical archived URLs | web.archive.org CDX API |
| robots.txt Analyzer | F8 | Find disallowed paths/sitemaps | HTTP GET robots.txt |
| CT Logs | F9 | Certificate Transparency subdomains | crt.sh JSON API |
| Host Information | F10 | IP info with open port detection | ip-api.com + port scan |
| Tool | Key | Description | Real Operation |
|---|---|---|---|
| SQL Injection | F1 | Error-based, UNION, time-based payloads | HTTP with SQL payloads |
| XSS Scanner | F2 | Reflected XSS with filter bypass | HTTP with XSS payloads |
| Dir Brute-force | F3 | Discover hidden directories/files | HTTP to 70+ common paths |
| CSRF Check | F4 | Form token analysis | HTML parsing for tokens |
| CORS Analyzer | F5 | Origin reflection testing | Malicious Origin headers |
| HTTP Methods | F6 | Test dangerous methods | PUT, DELETE, TRACE testing |
| LFI Scanner | F7 | Local File Inclusion testing | Path traversal payloads |
| Open Redirect | F8 | URL redirect vulnerability testing | Redirect payload testing |
| Clickjacking | F9 | Frame embedding protection check | X-Frame-Options analysis |
- Threat Level Calculation - Automatic risk assessment
- Vulnerability Prediction - Based on detected technology stack
- Attack Surface Analysis - Identify entry points and attack vectors
- Remediation Suggestions - Code examples and configuration fixes
- Attack Plan Generation - Step-by-step exploitation guidance
- Workflow Builder - Create custom tool chains
- Scheduled Scans - Daily, weekly, monthly, or cron-based
- Triggers - Automatic execution based on conditions
- Background Execution - WorkManager integration
- Information Gathering - 15 tools (nmap, enum4linux, etc.)
- Exploitation Tools - 5 tools (metasploit, exploit-db, etc.)
- Phishing Analysis - 10 tools (social engineering toolkit)
- Camera Security - 3 tools (RTSP scanners)
- Social Media OSINT - 3 tools
- SMS Analysis - 6 tools
- Hash Tools - 4 tools (hash-identifier, hashcat)
- XSS Attack Tools - 3 tools
- Concurrent scanning - Up to 20 parallel socket connections
- Service detection - Maps ports to service names
- Banner grabbing - FTP, SMTP, POP3, IMAP, HTTP banners
- Common ports: 21, 22, 23, 25, 53, 80, 110, 143, 443, 445, 993, 995, 1433, 1521, 3306, 3389, 5432, 5900, 6379, 8080, 8443, 27017
- Certificate details - Subject, issuer, validity dates
- Protocol analysis - TLS version detection
- Cipher suite - Cipher strength analysis
- Security checks - HTTPS redirect, HSTS, HSTS preload
- Expiration warning - Alerts for soon-to-expire certificates
- Error-based detection - Database error pattern matching
- UNION-based detection - Column count enumeration
- Time-based blind - Response timing analysis
- Database fingerprinting - MySQL, PostgreSQL, MSSQL, Oracle, SQLite
- Reflected XSS - Direct payload reflection
- DOM-based XSS - JavaScript sink analysis
- Filter bypass - Encoding, case variation, event handlers
com.hack.droid/
βββ activities/ # 26 UI Activities
β βββ MainActivity.kt
β βββ VulnerabilityScanActivity.kt
β βββ OsintActivity.kt
β βββ WebAttackActivity.kt
β βββ ResultActivity.kt
β βββ HistoryActivity.kt
β βββ DashboardActivity.kt
β βββ AutomationActivity.kt
β βββ ...
βββ adapters/ # RecyclerView Adapters
β βββ ToolAdapter.kt
β βββ ScanResultAdapter.kt
β βββ FindingsAdapter.kt
βββ ai/ # AI Analysis Engine
β βββ AiEngine.kt
βββ automation/ # Workflow & Scheduling
β βββ AutomationEngine.kt
β βββ WorkflowExecutor.kt
β βββ SchedulerManager.kt
βββ models/ # 16 Data Models
β βββ ScanResult.kt
β βββ Tool.kt
β βββ AiAnalysis.kt
β βββ ...
βββ services/ # Background Services
β βββ ScanService.kt
βββ termux/ # Termux Integration
β βββ TermuxManager.kt
β βββ TermuxTools.kt
β βββ TermuxInstaller.kt
βββ tools/ # 20+ Security Tools
β βββ VulnerabilityScanner.kt
β βββ OsintTools.kt
β βββ WebAttackTools.kt
β βββ AdditionalTools.kt
β βββ NativeToolExecutor.kt
β βββ ...
βββ utils/ # Utility Classes
β βββ NetworkUtils.kt
β βββ PreferencesManager.kt
β βββ ConfigManager.kt
βββ workers/ # Background Workers
βββ ScheduledScanWorker.kt
- Language: Kotlin (primary), Java 17 target
- Platform: Android SDK 34 (compileSdk/targetSdk), minSdk 24 (Android 7.0+)
- Build System: Gradle with Kotlin DSL
- Networking: OkHttp 4.12.0, Java Socket, SSLContext
- JSON: Gson 2.10.1
- Async: Kotlinx Coroutines 1.7.3
- UI: Material Design 3, AndroidX (AppCompat, RecyclerView, CardView, Navigation)
- Background: WorkManager 2.9.0, Foreground Services
- Android 7.0 (API 24) or higher
- Internet permission (required)
- Access Network State permission (required)
- Open the project in Android Studio
- Sync project with Gradle files
- Build and run on your device or emulator
./gradlew assembleDebug- Build the APK using Android Studio or Gradle
- Enable "Unknown sources" in Android settings
- Install on your Android device:
adb install app/build/outputs/apk/debug/app-debug.apk
- Launch the app and accept the legal disclaimer
- Use F1-F12 function keys or tap cards to access tool categories
- Enter the target information when prompted
- View detailed scan results with findings and recommendations
- Results are saved to history for later review
- Create workflows for automated testing
This application is designed for ethical hacking and security testing purposes only. Users must:
- β Obtain proper authorization before testing any system
- β Only test systems they own or have explicit permission to test
- β Comply with all applicable laws and regulations
- β Use this tool responsibly
External APIs used have rate limits:
- Google DNS: 1000 requests/day (unofficial)
- ip-api.com: 45 requests/minute (free tier)
- HackerTarget: 100 requests/day (free tier)
- crt.sh: Unlimited but may throttle
Consider configuring your own API keys for production use.
This project is for educational purposes. Use responsibly.
This tool is provided "as is" without warranty of any kind. Use at your own risk.